Datatilsynet (Denmark) - 2022-442-21566: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2022-442-21566 |ECLI= |Original_Source_Name_1=Kritik af Hovedstadens Beredskabs mangelfulde rettighedsstyring |Original_Source_Link_1=https://www.datatilsynet.dk/afgoerelser/afgoerelser/2023/mar/kritik-af-hovedstadens-beredskabs-mangelfulde-rettighedsstyring |Original_Source_Language_1=Danish |Original_Sourc...")
 
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 61: Line 61:
}}
}}


The DPA criticised Hovedstadens Beredskab for exposing HR data of 2,029 current and previous employees. The controller violated [[Article 32 GDPR#1|Article 32(1) GDPR]] by not implementing appropriate technical and organisational measures.
[[Article 32 GDPR]] entails that HR data should be available, on a need-to-know basis, and in general, only accessible to the HR department, and no other colleagues.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In November 2022, Hovedstadens Beredskab I/S (HB) notified the Danish DPA (Datatilsynet) about the following incidence:
The Capitol's Emergency Service in Denmark (Hovedstadens Beredskab I/S) (the controller) reported a data breach to the Danish DPA after become aware of wide accessibility to HR data. 
All employees and not merely authorised users of a new human resources (HR) electronic document and records management system (EDRMS) had access to the personal identification numbers, names, and addresses of 2,029 former and current employees. 6 users without access rights were reported to have accessed information stored in the EDRMS for no work-related reason.
 
The data breach was reported after the controller became aware of the fact that its new electronic case & document management (ESDH) system allowed all employees to access of current and former employees' personal data. The data consisted the full names, social security numbers, and addresses, including protected addresses, of over 2000 persons. After a closer investigation, the controller stated that 6 users, who have accessed information about current or former employees, did not have a work-related need to access the information.
 
It appears from the controller's statement, that the controller, and the supplier of the ESDH system, both, were allegedly unaware of the fact that this information was accessible to all employees.  
 
Following the reported data breach, the supplier started to plan for a solution, where it is possible, to ensure that only authorised users can search access the personal data in the ESDH system. Moreveover, the controller started conducting an analysis of how many and which types of users have a work-related need for access to the relevant information about current and former employees.


=== Holding ===
=== Holding ===
The DPA (Datatilsynet) criticised the controller for failing to ensure technical and organisational measures (Article 32 GDPR(1) ‘Security of processing') were implemented. The resulting insufficient security level did not reduce risks related to HB’s processing of personal HR data. Further, the DPA emphasised the obligation of the controller to conduct risk assessments and ensure appropriate safeguards, i.e. providing least-privilege user access, thereby limiting access to the EDRMS to employees with certain work-related duties.  
It follows from Article 32(1) that the controller has a duty to identify the risks that the controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks. 
 
The DPA held that Article 32 GDPR will normally mean that user access to systems should be limited to the personal data that is necessary for the work-related needs of the users in question. In this particular case, the DPA held that only employees in the controller's HR department needs access to the information in question.  
 
Eventually, the DPA suggested to sanction the controller by expressing critisism for the controller's failure to ensure that technical and organisational measures were implemented pursuant to Article 32(1) GDPR.


In its criticism, the DPA emphasised that 5 months following the incidence notification and almost a year since the EDRMS implementation, technical measures were still not introduced to prevent unauthorised access. Although the controller reported to have anonymised personal identification numbers, identifying natural persons was still easily attainable due to names,  
The DPA took in consideration that the controller expects a change to be implemented in the ESDH system to limit access rights of users to ensure that only authorised users can search for personal data on current and former employees. Furthermore, the DPA noted that before the system changes are implemented, the controller checks the system logs on an ongoing basis, and that affected data subjects will be notified on an ongoing basis, if their information is accessed.  
dates of birth, and addresses being continuously accessible.


== Comment ==
== Comment ==
''Share your comments here!''
''In Denmark, GDPR fines are imposed by the courts. The Danish DPA can recommend to impose fines on both private actors and public authorities. Before notifying the case to the police, the DPA assesses the amount of the fine, and it is then up to the police and the prosecution to bring charges and conduct the criminal case court. In this case, the DPA did not propose a fine on the controller.''


== Further Resources ==
== Further Resources ==

Latest revision as of 08:15, 21 June 2023

Datatilsynet - 2022-442-21566
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 32(1) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 22.03.2023
Fine: n/a
Parties: Hovedstadens Beredskab I/S
National Case Number/Name: 2022-442-21566
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Kritik af Hovedstadens Beredskabs mangelfulde rettighedsstyring (in DA)
Initial Contributor: Maximilien Hjortland

Article 32 GDPR entails that HR data should be available, on a need-to-know basis, and in general, only accessible to the HR department, and no other colleagues.

English Summary

Facts

The Capitol's Emergency Service in Denmark (Hovedstadens Beredskab I/S) (the controller) reported a data breach to the Danish DPA after become aware of wide accessibility to HR data.

The data breach was reported after the controller became aware of the fact that its new electronic case & document management (ESDH) system allowed all employees to access of current and former employees' personal data. The data consisted the full names, social security numbers, and addresses, including protected addresses, of over 2000 persons. After a closer investigation, the controller stated that 6 users, who have accessed information about current or former employees, did not have a work-related need to access the information.

It appears from the controller's statement, that the controller, and the supplier of the ESDH system, both, were allegedly unaware of the fact that this information was accessible to all employees.

Following the reported data breach, the supplier started to plan for a solution, where it is possible, to ensure that only authorised users can search access the personal data in the ESDH system. Moreveover, the controller started conducting an analysis of how many and which types of users have a work-related need for access to the relevant information about current and former employees.

Holding

It follows from Article 32(1) that the controller has a duty to identify the risks that the controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks.

The DPA held that Article 32 GDPR will normally mean that user access to systems should be limited to the personal data that is necessary for the work-related needs of the users in question. In this particular case, the DPA held that only employees in the controller's HR department needs access to the information in question.

Eventually, the DPA suggested to sanction the controller by expressing critisism for the controller's failure to ensure that technical and organisational measures were implemented pursuant to Article 32(1) GDPR.

The DPA took in consideration that the controller expects a change to be implemented in the ESDH system to limit access rights of users to ensure that only authorised users can search for personal data on current and former employees. Furthermore, the DPA noted that before the system changes are implemented, the controller checks the system logs on an ongoing basis, and that affected data subjects will be notified on an ongoing basis, if their information is accessed.

Comment

In Denmark, GDPR fines are imposed by the courts. The Danish DPA can recommend to impose fines on both private actors and public authorities. Before notifying the case to the police, the DPA assesses the amount of the fine, and it is then up to the police and the prosecution to bring charges and conduct the criminal case court. In this case, the DPA did not propose a fine on the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Criticism of Hovedstadens Emergency Management's inadequate rights management

Date: 22-03-2023

Decision Public authorities Criticism Reported breach of personal data security Processing security Access control CPR number

The Danish Data Protection Authority has made a decision in a case where all users of the capital's Emergency Management ESDH system had access to contact information, including social security numbers and protected addresses, about former and current employees.

Journal number: 2022-442-21566

Summary

Hovedstadens Beredskab I/S reported a breach of personal data security to the Danish Data Protection Authority in November 2022, as they themselves had established that all users of their ESDH system since the system was put into use in May 2022 had had access to the full names of current and former employees, social security numbers and addresses, including protected addresses.

Hovedstadens Beredskab stated that the contact information is used in connection with the journaling of personnel matters. According to Hovedstadens Beredskab, access to the information in question should have been differentiated so that they could designate which employees have a work-related need to work with the information, and so that only these employees were granted access to it. However, Hovedstadens Emergency Services and their supplier had not been aware of the lack of opportunity to differentiate access rights to the information in question.

In its decision to express criticism, the Norwegian Data Protection Authority has placed particular emphasis on the fact that all users of the ESDH system, since the system was put into use, have had access to contact information, which also contained confidential information about protected addresses and social security numbers, about 2,029 current and former employees, even if it was only employees in Hovedstadens Beredskab's HR department who needed such access.

Decision

The Danish Data Protection Authority hereby returns to the case where Hovedstadens Beredskab I/S reported a breach of personal data security to the Danish Data Protection Authority on 26 November 2022. The report has the following reference number:

d2ee46917e7483afb339f30f6b152c0e639c0ab4.

1. Decision

After a review of the case, the Danish Data Protection Authority finds that there are grounds for expressing criticism that Hovedstadens Beredskab I/S' processing of personal data has not taken place in accordance with the rules in the data protection regulation[1] article 32, subsection 1.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

On 26 November 2022, Hovedstadens Beredskab I/S reported a breach of personal data security to the Norwegian Data Protection Authority.

It appears from the notification that all users of Hovedstadens Beredskab I/S' ESDH system since the system was put into use on 30 May 2022 have had access to current and former employees' full names, social security numbers and addresses, including protected addresses. Hovedstadens Beredskab I/S has subsequently stated that there are 184 users at Hovedstadens Beredskab I/S, and that there are also 4 test users and 6 users at the supplier. In addition, Hovedstadens Beredskab I/S has stated that the ESDH system contains information on 2,029 current or former employees.

Hovedstadens Beredskab I/S has stated that the contact information of current and former employees is used in connection with the journaling of personnel cases, where the HR department creates individual cases and assigns the employees as parties to the case. After a closer investigation, Hovedstadens Beredskab I/S has established that 6 users who have accessed information about current or former employees did not have a work-related need to access the information.

According to Hovedstadens Beredskab I/S, access to the contact information about current and former employees should have been differentiated so that Hovedstadens Beredskab I/S could designate which employees have a work-related need to work with the information. Hovedstadens Beredskab I/S has stated in this connection that Hovedstadens Beredskab I/S and their supplier have not been aware of the lack of differentiation in access rights to the ESDH contact register, which contains information about current and former employees.

It also appears from the case that users of the system still have access to information about current and former employees' social security numbers and names. In this connection, Hovedstadens Beredskab I/S has stated that the social security numbers are anonymised in the search results, so that it is only possible to see the date of birth. However, it is possible to access further information by clicking on a search result, whereby the contact (master card) itself is displayed. It is still possible to see social security numbers on the identity card. However, the residential addresses of current and former employees are no longer available in the ESDH system, and "No" has been marked for all the contacts in the fields where it must be stated whether a contact has name and address protection.

Finally, it appears from the case that Hovedstadens Beredskab I/S' supplier plans to implement a solution in the system where it is possible via the system's authorization system to ensure that only authorized users can search for personal data in the ESDH contact register. Hovedstadens Beredskab I/S has further stated that it will be possible to authorize users at six levels, which correspond to their work-related needs. Hovedstadens Beredskab I/S is currently conducting an analysis of how many and which types of users at Hovedstadens Beredskab I/S and the supplier have a work-related need for access to the relevant information about current and former employees.

In this connection, Hovedstadens Beredskab I/S has stated that the change in the system is expected to be operational on 18 April 2023. This is because the supplier can deliver a release with the changed authorization functionality at the end of March at the earliest, after which the release must be installed at Hovedstadens Beredskab I/S in their test system and then in production. In the period up to 18 April 2023, Hovedstadens Beredskab I/S will continuously check logs of incidents in the master cards, and the affected registered persons whose information has been accessed by users of the ESDH system will be continuously notified.

3. Reason for the Data Protection Authority's decision

On the basis of the information provided by Hovedstadens Beredskab I/S on 26 November 2022, 12 December 2022, 18 January 2023 and 2 March 2023, the Danish Data Protection Authority assumes that since 30 May 2022 it has been possible for all users of their ESDH system to access current and former employees' names, social security numbers and addresses, including protected addresses.

The Danish Data Protection Authority also assumes that until 18 April 2023 it will still be possible for users of the ESDH system to access information about the names and social security numbers of current and former employees.

3.1. Article 32 of the Data Protection Regulation

It follows from the data protection regulation article 32, subsection 1, that the data controller must take appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in the data controller's processing of personal data.

The data controller thus has a duty to identify the risks that the data controller's processing poses to the data subjects and to ensure that appropriate security measures are introduced to protect the data subjects against these risks.

The Danish Data Protection Authority is of the opinion that the requirement cf. Article 32 for adequate security will normally mean that user access to systems is limited to the personal data that is necessary for the work-related needs of the users in question.

Based on the above background, the Danish Data Protection Authority finds grounds for expressing criticism that Hovedstadens Beredskab - by not having ensured differentiated user access to former and current employees' contact information in the ESDH system, so that it is possible to designate the users who have a work-related need for access to the information in question – has not taken appropriate organizational and technical measures to ensure a level of security that matches the risks involved in Hovedstadens Beredskab I/S processing of personal data, cf. the data protection regulation, article 32, subsection 1.

The Danish Data Protection Authority has thereby emphasized that all users of the ESDH system since the system was put into use on 30 May 2022 have had access to, among other things, confidential information about 2,029 current or former employees at Hovedstaden Beredskab I/S, and that only employees in Hovedstaden Beredskab I/S's HR department need access to the information in question.

The Danish Data Protection Authority has noted that Hovedstadens Beredskab I/S expects a change to the system to be put into operation on 18 April 2023, when it is possible via the system's authorization system to ensure that only authorized users can search for personal data on current and former employees.

The Danish Data Protection Authority has also noted that, in the period up to 18 April 2023, Hovedstadens Beredskab I/S will check logs of incidents in the master cards on an ongoing basis, and that the affected registrants will be notified on an ongoing basis if their information has been accessed by users of ESDH -the system.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).